Loading ...
Sorry, an error occurred while loading the content.

Re: Authentication issues

Expand Messages
  • DTNX Postmaster
    ... STARTTLS happens before AUTH, and it can be made a requirement to continue. No TLS set up, no AUTH available. So basically, you cannot send the plaintext
    Message 1 of 4 , Aug 23, 2013
    • 0 Attachment
      On Aug 23, 2013, at 21:38, David Hulsebus <dhulsebus@...> wrote:

      > I apologize in advance for the long post. I started working for a small ISP
      > with around 3000 mailboxes and inherited a Postfix server that I've been
      > auditing. It's based on Ubuntu 8.04 LTS, Postfix 2.51, and runs Courier for
      > pop and imap authentication. It has encrypted passwords in a MySQL database.

      > I believe I need to setup SSL connections for securely passing
      > authentication information to authorize the smtp connection for local or
      > remote clients with virtual accounts wanting to send e-mail.
      >
      > So I'm a bit stumped and confused. The TLS_README indicates I can use
      > STARTTLS for all clients. Those clients will be everything from Outlook
      > Express to Windows Live Mail, Thunderbird, Incredimail, etc... But without
      > the ability to use CRAM-MD5, DIGEST-MD5, NTLM, how can I use TLS to make the
      > connection and authorize the clients?

      STARTTLS happens before AUTH, and it can be made a requirement to
      continue. No TLS set up, no AUTH available. So basically, you cannot
      send the plaintext password unless it's over an encrypted link.

      To make PLAIN authentication work, I reckon you need to remove
      'noplaintext' from 'smtpd_sasl_security_options'.

      Note that Postfix 2.5.1 is rather old, and that Ubuntu 8.04.4 LTS was
      EOL'd in May of this year. This means that it is no longer being
      maintained, no security updates. Upgrading to a newer, supported
      release is recommended.

      Mvg,
      Joni
    • Scott Kitterman
      ... That release has been out of security support for a third of a year. Upgrading to a supported release should be on your TODO list (pretty high up, IMO).
      Message 2 of 4 , Aug 23, 2013
      • 0 Attachment
        On Friday, August 23, 2013 15:38:38 David Hulsebus wrote:
        > I apologize in advance for the long post. I started working for a small ISP
        > with around 3000 mailboxes and inherited a Postfix server that I've been
        > auditing. It's based on Ubuntu 8.04 LTS, Postfix 2.51, and runs Courier for
        > pop and imap authentication. It has encrypted passwords in a MySQL
        > database.

        That release has been out of security support for a third of a year.
        Upgrading to a supported release should be on your TODO list (pretty high up,
        IMO).

        Ubuntu (due to it's Debian heritage) ships Postfix in a chroot by default.
        Make sure you have either taken it out of the chroot or that your changes are
        visible inside the chroot.

        Scott K
      Your message has been successfully submitted and would be delivered to recipients shortly.